Cyber Incident Victim: Kaleida Health

On May 24, 2017, Kaleida Health discovered that an unauthorized third party potentially accessed a single employee’s email account. The organization immediately initiated an investigation with assistance from an external computer forensic firm. The forensic analysis revealed that multiple email accounts might have been compromised, though the breach remained limited in scope. These accounts contained patient information including names, medical record numbers, dates of birth, diagnoses, treatment details, and other clinical data. Notably, the investigation confirmed that Social Security numbers and financial information were not stored in the affected email accounts. Kaleida Health found no evidence suggesting the compromised data had been misused or disseminated following the breach. The incident stemmed from a phishing attack targeting employee credentials, though the specific method of initial compromise was not detailed in public disclosures.

Kaleida Health began notifying 2,789 affected patients via mailed letters starting July 21, 2017, approximately two months after detecting the incident. The organization established a dedicated call center operational on weekdays from 9:00 a.m. to 6:00 p.m. Eastern Time to address patient inquiries, advising those who hadn’t received notification by August 11 to contact the provided toll-free number. While reiterating that no financial or Social Security data was exposed, Kaleida Health acknowledged the potential risk posed by the exposure of clinical information. The organization stated it was implementing enhanced security measures to better protect patient data but did not specify the technical or procedural changes made. No regulatory fines, legal actions, or operational disruptions were reported in connection with the incident.